b'\x0cFY 2007 OFFICE OF INSPECTOR GENERAL\nFISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n  TECHNOLOGY SECURITY PROGRAM\n  REPORT NUMBER A070108/O/T/F07015\n\n\n          September 17, 2007\n\x0c               U.S. GENERAL   SERVICES ADMINISTRATION\n               Office of Inspector General\n\n\n\n\nDate:         September 17,2007\n\nTo:           Casey Coleman\n              Chief Information Officer (I)\n\nReply to      Gwendolyn A. McGowan\nAttn of:      Deputy Assistant Inspector General for Information Technology Audits (JA-T)\n\nSubject:      FY 2007 Office of Inspector General FISMA Review of GSA\'s Information\n              Technology Security Program, Report Number A070 108/O/T/F070 15\n\n\n                                         INTRODUCTION\n\nBackground\n\nThe Federal Information Security Management Act of 2002 (FISMA) provides a framework for\nsecuring Federal information systems including: (1) ensuring the effectiveness of information\nsecurity controls over information resources; (2) development and maintenance of minimum\ncontrols required to protect Federal information and information systems; and (3) a mechanism\nfor improved oversight of agency information security programs. This audit report presents the\nresults of the Inspector General\'s Fiscal Year (FY) 2007 independent evaluation of the General\nServices Administration\'s (GSA) agency-wide Information Technology (IT) Security program\nand controls for select systems, as required by FISMA. This audit report is provided for\ninclusion as an appendix in GSA\'s FY 2007 FISMA report and FY 2009 budget submission to\nthe Office of Management and Budget (OMB).\n\n\nObiectives, Scope, and Methodology\n\nThe objective of this audit was to assess the effectiveness of GSA\'s IT security program and\npractices for select systems in meeting FISMA requirements and is based on the results of four\nindependent audits of the following systems: Region 8 FTS LAN, Region 8 PBS LAN, GSAjobs,\nand the Fleet Management System. Our response to specific questions in the OMB FY 2007\nreporting template for FISMA, attached as Appendix A, includes a fifth system evaluated as part\nof an ongoing audit.\n\nIn 2007, we conducted independent IT system security audits of four GSA systems, two of which\nwere operated by contractors. System security controls were reviewed to assess implementations\nof GSA\'s IT security program. Appendix B lists the four systems reviewed as part of this audit,\nand the fifth system used to prepare responses in the attached OMB reporting template. To\nanswer Question 6 in the OMB reporting template, we relied on an ongoing audit of GSA\'s\n                  1745 JeffersonDavis Highway, Suite 607, Arlington, VA 22202- 3402\n\n                            Federal Recycling Pmgrarn   Printed on Recycled Paper\n\x0cefforts to protect sensitive information. The Results of Audit section of this report also refers to\nsignificant IT system security weaknesses identified in two additional IT system audits\nconducted in 2007, which identified issues consistent with our FISMA system security audits.\nWe reviewed applications and data repositories for inclusion in the IT system security control\nprocess. FISMA audit work relied on GSA\xe2\x80\x99s IT security policy1 and procedures, standards, and\nguidelines for implementing GSA\xe2\x80\x99s IT security program. We met with Agency IT security\nofficials in the Office of the GSA Chief Information Officer (GSA-CIO) and in Services, Staff\nOffices, and Regions (S/SO/R), including the GSA Senior Agency Information Security Officer\n(SAISO), Information System Security Managers (ISSMs), and Information System Security\nOfficers (ISSOs) for select systems. To assess controls implementing commonly accepted IT\nsecurity principles and practices, we used the National Institute of Standards and Technology\n(NIST) Federal Information Processing Standards Publications, and Special Publication (SP) 800\nSeries security guidelines. Limited control tests from thirteen chapters of NIST SP 800-100,\nInformation Security Handbook: A Guide for Managers, October 2006, were included in the\nreview of GSA\'s IT security program. To assess the effectiveness of GSA\xe2\x80\x99s IT security program\nimplementation, we examined system risk assessments, system security plans, system security\nassessment results, certification and accreditation (C&A) letters, contingency plans, and system-\nlevel Plans of Action and Milestones (POA&M) for each system. In addition to reviewing the\ncomprehensiveness of documentation, we evaluated additional management, technical, and\noperational controls using: vulnerability scanning, database configuration testing, and reviews of\nenvironmental and physical security, background investigations, and training. IT system security\naudits for FISMA also included a detailed analysis of web applications. In addition to FISMA,\nNIST, and GSA guidance, we used other applicable regulations and policies, including: OMB\nCircular A-130 Revised, Appendix III, Security of Federal Automated Information Resources,\nNovember 2000; and Homeland Security Presidential Directive (HSPD) 12, Policy for a\nCommon Identification Standard for Federal Employees and Contractors, August 27, 2004.\nAudit work was performed between February and August 2007 in accordance with generally\naccepted government auditing standards.\n\n\n\n\n1\n GSA Order CIO P 2100.1C - GSA Information Technology Security Policy, February 17, 2006 and the revised GSA\nOrder CIO P 2100.1D - GSA Information Technology Security Policy, June 21, 2007.\n                                                     2\n\x0c                                     RESULTS OF AUDIT\n\nGSA\'s IT security program has taken steps to establish an inventory of GSA systems, designate\nsystem security roles and responsibilities, and incorporate NIST guidance. Since the\nimplementation of FISMA, the GSA-CIO has taken further steps to identify and reduce risks\nthrough designations of additional management, operational, and technical controls outlined in\nGSA\xe2\x80\x99s IT security policy and procedures. Despite these efforts, GSA\'s IT security program has\nnot been fully effective in ensuring that risks for all applications, data repositories, and services\nwithin system boundaries are identified and mitigated. Oversight of contractor-supported\nsystems was not comprehensive where systems were not secured, and contractor background\ninvestigations were not consistently conducted.           Configuration management should be\nstrengthened in the area of configuration settings, and Agency policies and procedures are in\nneed of improvement in some cases. As a result, GSA\'s information assets have been exposed to\nundue risks of inappropriate disclosure, destruction, and alteration. The IT security program has\nnot been fully successful due to the lack of a program implementation plan. The GSA-CIO\nshould assist senior management in developing and adopting an implementation plan with\nperformance goals and measures for system security officials. Accountability is important for\nthe success of GSA\xe2\x80\x99s IT security program and should guide an implementation plan that will\nassist with managing GSA\xe2\x80\x99s changing risk environment. At the system level, we also concluded\nthat an effective implementation plan for GSA\'s IT security program should include a more\ndetailed inventory process, improved contractor oversight, and more comprehensive\nconfiguration management.\n\nAppendix A contains our responses to specific FISMA questions, as requested by OMB. Our\nresponses include assessments of the security for GSA\'s major applications and general support\nsystems, as noted in Appendix B.\n\nGSA IT System Security Risks and Related Controls Are Not Comprehensively Addressed\nfor All Applications, Data Repositories, and Services Within System Boundaries\n\nGSA\'s information assets have been exposed to risks of inappropriate disclosure, destruction, and\nalteration when weaknesses were not identified and appropriately mitigated for all applications,\ndata repositories, and services within system boundaries. OMB Circular A-130, Appendix III,\nrequires that agencies \xe2\x80\x9cimplement and maintain a program to assure that adequate security is\nprovided for all agency information collected, processed, transmitted, stored, or disseminated in\ngeneral support systems and major applications.\xe2\x80\x9d System security audits in 2007 identified a\nmajor application with multiple web applications not addressed with the system security plan. A\ngeneral support system used across the Agency contained databases where risks were not\nidentified and addressed as part of the certification and accreditation process, inappropriately\nexposing sensitive GSA data to undue risks. Another major application implemented an external\nreporting module without assessing the risk and security of the module, which also\ninappropriately exposed sensitive GSA data to undue risks. Despite efforts to clarify and\nenhance GSA\'s IT system security policy, system certification and accreditation efforts are not\nconsistently comprehensive and effective.\n\nWith our FISMA audit work since 2004, we have repeatedly identified and reported that system\nsecurity officials have not adequately addressed all functionality and data within systems. In\n2004, we identified that the GSA system inventory was incomplete, and the GSA-CIO took steps\nto address the risks and complete the Agency inventory. We also reported that for the systems\n                                               3\n\x0cwe reviewed, the C&A process was not implemented consistently, not updated after major\nsystem changes, or not completed. We recommended strengthening policy and procedures to\nbetter manage risks by incorporating controls to ensure that C&A documentation, including risk\nassessments, security plans, and security plan testing and evaluations are current and complete.\nIn 2005, we found that one general support system had deployed Voice over Internet Protocol\nwithout updating its risk assessment and security plan, and another general support system\nmoved to a new operating system and combined two networks without addressing the changes in\na subsequent update to the security plan. We also reported that the C&A process was not\nconsistently implemented and recommended that the GSA-CIO improve security over GSA\xe2\x80\x99s\ndata and IT assets by taking actions to increase oversight of the implementation of GSA\xe2\x80\x99s IT\nsecurity policy and procedures related to C&A. GSA\xe2\x80\x99s C&A process was revised to include\noversight by the SAISO and a requirement for a review of C&A documents, but did not focus on\naccountability and the inventory of data and applications. In 2006, we again found inconsistent\nimplementation of the C&A process where we identified incomplete risk assessments, system\nsecurity plans, security assessments, and contingency plans for systems reviewed. C&A\ndocumentation for a general support system was not updated to address additional functionality\nof the reviewed component. A contractor-provided system did not follow GSA procedural\nguides when developing C&A documentation. Similar deficiencies identified in 2007 are\nevidence that an approach that goes beyond the current policy is needed to successfully\nimplement FISMA. The inability of GSA system officials to consistently ensure effective\nimplementation of FISMA and GSA\xe2\x80\x99s IT security policy is due, in part, to a lack of a\ncomprehensive inventory of the applications, data repositories, and services residing on their\nsystems, as well as accountability for identifying and mitigating risks for items in the inventory.\nThe GSA IT security policy states that system owners are \xe2\x80\x9cmanagement officials within GSA\nwho bear the responsibility for the acquisition, development, maintenance, implementation, and\noperation of GSA\xe2\x80\x99s IT systems.\xe2\x80\x9d Since the system owner is responsible for integrating and\nexplicitly identifying funding for information systems and programs into IT investment and\nbudgeting plans, that individual should be aware of all applications, databases, and services\nwithin the information system. The GSA-CIO\'s IT security program currently relies on a budget-\nbased inventory of systems, which is not at the level of detail needed to manage system level\nrisks. An inventory process that will require system owners to identify and periodically report on\nall applications, data repositories, and services maintained with their systems is needed to ensure\nthat the certification and accreditation process is comprehensively and completely performed as\npart of management\xe2\x80\x99s IT security implementation plan.\n\nOversight of Contractor-Supported Systems Should Be More Comprehensive\n\nGSA\xe2\x80\x99s management of risks and oversight of contractor-supported systems should be more\ncomprehensive, as evidenced in two areas of risk: (1) inadequately secured contractor-provided\nsolutions had weaknesses not detected by GSA system security officials; and (2) the lack of\ncontractor background investigations is a problem this year and has been reported as an area of\nrisk with our FISMA and GISRA audits since 2002. FISMA requires each agency to develop,\ndocument, and implement an agency-wide information security program to provide information\nsecurity for the information and information systems that support the operations and assets of the\nagency, including those provided or managed by another agency, contractor, or other source.\nOur repeated findings confirm that despite GSA\xe2\x80\x99s efforts and implementation of a program that\nincludes policies, procedures, and assigned roles and responsibilities, the program has not\nsuccessfully ensured that contractor-supported systems comply with established requirements.\n\n                                                4\n\x0cContractor-Provided Solutions\nGSA\'s IT security program has not been effective in engaging GSA management to consistently\nenforce policy and procedures for contractor-provided solutions supporting GSA programs and\nmaintaining GSA data. In 2007, audit tests of a contractor-provided major application revealed\nthat oversight of IT security for the system was not adequately performed by GSA system\nsecurity officials, who did not ensure that the contractor had applied GSA\'s IT security policy\nand procedural guidance. Enforcement of existing task order clauses would have identified\nsystem security weaknesses and alerted GSA management to vulnerabilities identified during our\naudit of the system. In 2006, contractors providing solutions for GSA were not provided with\nGSA\xe2\x80\x99s IT security policy and procedures by the ISSO, were not adequately monitored for\ncompliance with the Agency IT security policy, and were unaware of several vulnerabilities\ndetected during our review. In 2004 and 2005, we reported on contractor-provided solutions that\nwere not compliant with the Agency IT security policy and procedures required by their\ncontracts with GSA. These repeated findings confirm that efforts to implement management\naction plans in response to prior audit recommendations did not consistently improve system\nowners\xe2\x80\x99 efforts to secure contractor-provided solutions.\n\nContractor Background Investigations\nControls currently in place and those planned under HSPD-12 will not ensure that contractor\nbackground investigations are requested and completed before access is granted to GSA systems.\nWe identified contractor personnel security issues with all systems included in this year\xe2\x80\x99s\nFISMA review, which place GSA systems and data at increased risk from contractors granted\naccess to systems before investigations are completed. For one system, 25 contractors were\ngranted access before background investigations were requested, although the task order stated\nthat \xe2\x80\x9cno access shall be given to the government computer information systems and government\nsensitive information without a background investigation being verified or in process.\xe2\x80\x9d Two\ncontractor-supported systems granted temporary access to contractors, but full investigations\nwere not requested for all of the contractors, and there were no procedures in place to ensure that\ninvestigations were completed. GSA\xe2\x80\x99s IT security policy designates responsibilities for ensuring\nthat users have the required background investigations to the ISSO, Authorizing Official, Data\nOwner, and Contracting Officers/Contracting Officer\xe2\x80\x99s Technical Representative. Without a\nsingle point of responsibility and accountability within GSA for ensuring completion of\nbackground investigations, background investigations remain an oversight challenge. The lack\nof background investigations being completed for contractors is also a recurring weakness and\nhas been included in FISMA and GISRA reports issued since 2002 and is a significant system\nsecurity risk. Management\'s response to prior recommendations deferred resolution to\nimplementation of HSPD-12, which requires all Federal governmental departments and agencies\nto conduct background investigations, adjudicate the results, and issue identity credentials to\nFederal employees and contractors who require long-term access to its federally controlled\nfacilities and information technology systems. However, this issue is not being addressed by\nHSPD-12 since contractors supporting GSA systems are often not housed in government\nfacilities or accessing Government managed systems.\n\n\n\n\n                                                5\n\x0cOpportunities to Strengthen Configuration Management Were Identified\n\nDuring the past several years GSA has stressed the need to expand testing of system\nconfigurations to include databases and web applications as our audit tests were expanded to\naddress emerging IT security threats in these areas. In 2007, we identified opportunities to\nstrengthen configuration management and reduce risks to GSA systems and data in two areas.\nFirst, insecure configuration settings were identified in system reviews of web application\nsecurity, database security, and operating system security that could affect the confidentiality,\nintegrity, and availability of those GSA systems. Second, Agency configuration management\npolicies and procedures for handling of unsuccessful login attempts and warning banners were\nconflicting and not in conformance with best practices.\n\nConfiguration Settings\nSystem vulnerabilities in the four systems reviewed this year resulted from configuration settings\nthat were not in full conformance with GSA guidance. System testing identified insecure\nconfiguration settings in web applications, databases, and operating systems. Web application\nconfigurations deviated from GSA\xe2\x80\x99s procedural guidance in three systems, including two\nsystems with critical vulnerabilities. One web application was susceptible to a denial-of-service\nattack that could affect system availability. A number of configuration weaknesses were\nidentified with Lotus Domino database servers that were not configured in accordance with best\npractices. Lotus Domino is widely used by the Agency, but GSA has not developed procedural\nguidance for Lotus Domino. An Oracle database on another system was not configured in\naccordance with GSA\xe2\x80\x99s Oracle database hardening guide2. Operating system vulnerabilities\nwere identified in three of the four systems we reviewed.\n\nConfiguration settings weaknesses resulted when applications, data repositories, and services are\nnot identified and addressed. While the GSA-CIO has issued guidance on web application\nsecurity and has initiated a centralized program for evaluating web application security, this has\nnot effectively ensured that guidance is being applied to all of GSA\xe2\x80\x99s web applications. To\naddress configuration settings weaknesses in Lotus Domino, a procedural or hardening guide is\nneeded. System security officials are responsible for applying secure configurations in all\napplications, data repositories, and services within their systems.\n\nConfiguration Management Policies and Procedures\nGSA\xe2\x80\x99s configuration management policies and procedures contain conflicts in handling invalid\nlogin attempts for web applications, and requirements for warning banners are not\ncomprehensive. The GSA IT security policy conflicts with the GSA Procedural Guide on Web\nApplication Security on the handling of unsuccessful login attempts. GSA\xe2\x80\x99s IT security policy\nrequires user lockout after ten unsuccessful attempts, while the procedural guide incorporates\nbest practices and specifies delaying the login time between unsuccessful login attempts.\nDelaying invalid login attempts for web applications can prevent certain denial-of-service\nattacks. Agency guidance on the use of warning banners should also be updated for publicly\naccessible systems and web applications. GSA\xe2\x80\x99s IT security policy requires the use of a specific\nwarning banner, but is not consistent with the System Use Notification control in NIST SP 800-\n53, which describes different requirements for publicly accessible systems. Additionally, we\nidentified web applications in our review this year that did not include warning banners, and\n\n\n2\n    GSA IT Security Procedural Guide: Oracle Database Hardening, CIO-IT Security-05-28, March 2005\n                                                       6\n\x0cconcluded that the GSA web application security procedural guide could be strengthened by\nreferring to banner requirements from the GSA IT security policy.\n\nConclusion\n\nConditions reported in 2007 and prior years indicate that management actions have not been\nfully effective in mitigating risks and securing GSA\xe2\x80\x99s systems. The need for a successful\nsecurity program implementation plan, adopted by senior management, is evidenced by these\nrecurring findings. GSA relies on a budget-based inventory of systems, which is not at the level\nof detail needed to identify and manage system level security risks. An inventory process that\nrequires system owners to identify and periodically report on all applications, data repositories,\nand services maintained with their systems is needed as part of an IT security program\nimplementation plan. We conclude that management accountability remains important for\nsuccessful implementation of FISMA and the success of GSA\xe2\x80\x99s IT security program. Specific\nsteps to assist senior management officials in developing and adopting performance goals and\nmeasures for system security officials, consistent with IT security program implementation plan\ngoals are needed to move GSA towards more secure systems and data.\n\n\n                                   RECOMMENDATIONS\n\nTo strengthen GSA\'s IT security program and improve the security of information technology\nassets, we recommend that the GSA, Chief Information Officer take actions to:\n\n   1. Develop an implementation plan to be adopted by management that incorporates agency-\n      wide objectives and measures of progress necessary to meet IT security program goals.\n   2. Improve management accountability by developing an inventory process that will require\n      system owners to identify and periodically report on all applications, data repositories,\n      and services maintained with their systems.\n   3. Enhance management\xe2\x80\x99s oversight of contractor supported systems by:\n          a. Developing processes that promote and measure enforcement of existing task\n              order clauses.\n          b. Establishing a single point of contact for contractor background investigations.\n   4. Strengthen configuration management of GSA\xe2\x80\x99s systems by updating the GSA IT\n      security policy and related procedural guidance to address:\n          a. Handling successive unsuccessful login attempts in web applications.\n          b. Warning banner requirements for both publicly accessible systems and web\n              applications.\n          c. Secure configuration of Lotus Domino.\n   5. Assist senior management officials in developing and adopting performance goals and\n      measures for system security officials, consistent with the IT security program\n      implementation plan.\n\n\n\n\n                                                7\n\x0c                              MANAGEMENT COMMENTS \n\n\nThe GSA-CIO\'s concurred with the findings and recommendations outlined in this report. A\ncopy of the GSA-CIO\'s comments is included in its entirety in Appendix C.\n\n                                  INTERNAL CONTROLS\n\nAs discussed in the Objectives, Scope, and Methodology section of this report, the objective of\nour review was to assess the effectiveness of GSA\'s IT security program and practices for select\nsystems in meeting FISMA requirements. This audit included a review of selected management,\noperational, and technical controls for GSA\'s IT security program. The Results of Audit and\nRecommendations sections of this report state in detail the need to strengthen specific controls\nwith the GSA IT security program.\n\n\n\nWe would like to express our thanks to the GSA-CIO and her staff for their assistance and\ncooperation during the audit. An electronic copy of this report comprised of two files is being\nprovided for inclusion in the GSA FISMA report to OMB and Congress. Please contact me if\nyou have any questions regarding this report.\n\n\n\n\nLarry atem mi\nDirector, Information Technology Security Audit Services\nInformation Technology Audit Office (JA-T)\n\x0c            FY 2007 OFFICE OF INSPECTOR GENERAL\n            FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n              TECHNOLOGY SECURITY PROGRAM\n              REPORT NUMBER A070108/O/T/F07015\n\n                            APPENDIX A\n\n     GSA, OFFICE OF INSPECTOR GENERAL RESPONSES TO\nTHE OFFICE OF MANAGEMENT AND BUDGET\xe2\x80\x99S FISMA QUESTIONS\n\n\n\n\n    The following EXCEL Workbook is transmitted in a separate file\n   using the format directed by the Office of Management and Budget.\n\n\n\n\n                                 A-1\n\x0c                                                                           Section C - Inspector General: Questions 1 and 2\nAgency Name: General Services Administration                                                                                                                      Submission date:              September 17, 2007\n                                                                                       Question 1: FISMA Systems Inventory\n\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or\nnot categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on\nbehalf of an agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet\nthe requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n\n                                                    Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a\ncurrent certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                                                                                          Question 1                                                     Question 2\n                                                                                                       a.                     b.                     c.               a.                b.                c.\n                                                                                                 Agency Systems       Contractor Systems     Total Number of Number of systems Number of systems Number of systems\n                                                                                                                                                 Systems        certified and  for which security     for which\n                                                                                                                                               (Agency and       accredited    controls have been contingency plans\n                                                                                                                                            Contractor systems)                    tested and      have been tested\n                                                                                                                                                                                 reviewed in the in accordance with\n                                                                                                                                                                                    past year           policy\n\n\n\n                                                                                                                                                         Total\n                                                                         FIPS 199 System                    Number                Number     Total                 Total    Percent     Total   Percent     Total   Percent\nBureau Name                                                                                     Number                Number                            Number\n                                                                         Impact Level                      Reviewed              Reviewed   Number                Number    of Total   Number   of Total   Number   of Total\n                                                                                                                                                       Reviewed\nPublic Buildings Service (PBS)                                           High                          0                     0                     0          0\n                                                                         Moderate                     10                     0                    10          0\n                                                                         Low                           0                     0                     0          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                    10          0          0          0         10          0         0                   0                   0\nFederal Acquisition Service (FAS) - Formerly FSS                         High                          0                     0                     0          0\n                                                                         Moderate                      1                     9          1         10          1         1      100%         1      100%         1      100%\n                                                                         Low                           2                     3                     5          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     2          0         12          1         14          1         1      100%         1      100%         1      100%\nFederal Acquisition Service (FAS) - Formerly FTS                         High                          0                     1                     1          0\n                                                                         Moderate                      2                     4                     6          0\n                                                                         Low                           0                     2                     2          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     2          0          0          0          2          0         0                   0                   0\nOffice of the Chief Acquisition Officer (OCAO)                           High                          0                     0                     0          0\n                                                                         Moderate                      0                     4                     4          0\n                                                                         Low                           2                     2                     4          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     2          0          6          0          8          0         0                   0                   0\nOffice of Governmentwide Policy (OGP)                                    High                          0                     0                     0          0\n                                                                         Moderate                      1                     4                     5          0\n                                                                         Low                           3                     2                     5          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     4          0          6          0         10          0         0                   0                   0\nOffice of the Chief Information Officer (OCIO)                           High                          0                     0                     0          0\n                                                                         Moderate                     15          2          0                    15          2         2      100%         2      100%         2      100%\n                                                                         Low                           0                     0                     0          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                    15          2          0          0         15          2         2      100%         2      100%         2      100%\nOffice of the Chief Financial Officer (OCFO)                             High                          0                     0                     0          0\n                                                                         Moderate                      1                     3          1          4          1         1      100%         1      100%         1      100%\n                                                                         Low                           0                     0                     0          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     1          0          3          1          4          1         1      100%         1      100%         1      100%\nOffice of the Chief Human Capital Officer (OCHCO)                        High                          0                     0                     0          0\n                                                                         Moderate                      0                     2          1          2          1         1      100%         1      100%         1      100%\n                                                                         Low                           0                     0                     0          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     0          0          2          1          2          1         1      100%         1      100%         1      100%\nOffice of Inspector General (OIG)                                        High                          0                     0                     0          0\n                                                                         Moderate                      1                     0                     1          0\n                                                                         Low                           0                     0                     0          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     1          0          0          0          1          0         0                   0                   0\nOffice of General Counsel (OGC)                                          High                          0                     0                     0          0\n                                                                         Moderate                      0                     0                     0          0\n                                                                         Low                           1                     0                     1          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     1          0          0          0          1          0         0                   0                   0\nBoard of Contract Appeals (BCA)                                          High                          0                     0                     0          0\n                                                                         Moderate                      0                     0                     0          0\n                                                                         Low                           1                     0                     1          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     1          0          0          0          1          0         0                   0                   0\nOffice of Citizen Services and Communications (OCSC)                     High                          0                     0                     0          0\n                                                                         Moderate                      0                     0                     0          0\n                                                                         Low                           0                     2                     2          0\n                                                                         Not Categorized               0                     0                     0          0\n                                                                         Sub-total                     0          0          2          0          2          0         0                   0                   0\nAgency Totals                                                            High                          0          0          1          0          1          0         0                   0                   0\n                                                                         Moderate                     31          2         26          3         57          5         5      100%         5      100%         5      100%\n                                                                         Low                           9          0         11          0         20          0         0                   0                   0\n                                                                         Not Categorized               0          0          0          0          0          0         0                   0                   0\n                                                                         Total                        40          2         38          3         78          5         5      100%         5      100%         5      100%\n\n\n\n\n                                                                                                           A-2\n\x0c                                             Section C - Inspector General: Question 3\nAgency Name:   General Services Administration\n               Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.a.     The agency performs oversight and evaluation to ensure information systems used or operated by a\n               contractor of the agency or other organization on behalf of the agency meet the requirements of\n               FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n               Agencies are responsible for ensuring the security of information systems used by a contractor of their\n               agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet\n               the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider,\n                                                                                                                              Sometimes (51-70% of the\n               may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                                                                                                                              time)\n               Response Categories:\n                - Rarely- for example, approximately 0-50% of the time\n                - Sometimes- for example, approximately 51-70% of the time\n                - Frequently- for example, approximately 71-80% of the time\n                - Mostly- for example, approximately 81-95% of the time\n                - Almost Always- for example, approximately 96-100% of the time\n\n               The agency has developed a complete inventory of major information systems (including major\n      3.b.     national security systems) operated by or under the control of such agency, including an\n               identification of the interfaces between each such system and all other systems or networks,\n               including those not operated by or under the control of the agency.\n                                                                                                                            Inventory is 96-100%\n               Response Categories:\n                                                                                                                            complete\n                - The inventory is approximately 0-50% complete\n                - The inventory is approximately 51-70% complete\n                - The inventory is approximately 71-80% complete\n                - The inventory is approximately 81-95% complete\n                - The inventory is approximately 96-100% complete\n\n      3.c.     The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No.                                  Yes\n\n               The IG generally agrees with the CIO on the number of information systems used or operated by a\n      3.d.                                                                                                                             Yes\n               contractor of the agency or other organization on behalf of the agency. Yes or No.\n\n      3.e.     The agency inventory is maintained and updated at least annually. Yes or No.                                            Yes\n\n               If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems by\n      3.f.     Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit 53 (if\n               known), and indicate if the system is an agency or contractor system.\n\n                                                                                                                               Agency or\n                                                                                                Exhibit 53 Unique Project\n                         Component/Bureau                          System Name                                                 Contractor\n                                                                                                     Identifier (UPI)\n                                                                                                                                system?\n\n\n\n\n               Number of known systems missing from\n               inventory:\n\n\n\n\n                                                                     A-3\n\x0c                                                    Section C - Inspector General: Questions 4 and 5\nAgency Name: General Services Administration\n                                     Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process.\nEvaluate the degree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or\nnecessary, include comments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n                  The POA&M is an agency-wide process, incorporating all known IT security weaknesses\n       4.a.       associated with information systems used or operated by the agency or by a contractor of the                   Almost Always (96-100% of the time)\n                  agency or other organization on behalf of the agency.\n                  When an IT security weakness is identified, program officials (including CIOs, if they own or\n       4.b.                                                                                                                      Almost Always (96-100% of the time)\n                  operate a system) develop, implement, and manage POA&Ms for their system(s).\n                  Program officials and contractors report their progress on security weakness remediation to the\n       4.c.                                                                                                       Almost Always (96-100% of the time)\n                  CIO on a regular basis (at least quarterly).\n                  Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly\n       4.d.                                                                                                                      Almost Always (96-100% of the time)\n                  basis.\n\n       4.e.       IG findings are incorporated into the POA&M process.                                                           Almost Always (96-100% of the time)\n\n                  POA&M process prioritizes IT security weaknesses to help ensure significant IT security\n       4.f.                                                                                                                      Almost Always (96-100% of the time)\n                  weaknesses are addressed in a timely manner and receive appropriate resources.\n                  POA&M process comments: The General Services Administration, Chief Information Officer, has developed an agencywide POA&M\n                  process. All five systems reviewed have a POA&M and most known IT security weaknesses were being managed in the POA&Ms.\n                  However, the POA&M for one major application did not include 3 of 10 weaknesses.\n\n\n\n\n                                          Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for\ncertification and accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information\nand Information Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk\nassessments and security plans.\n\n                  The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                  Response Categories:\n                   - Excellent\n       5.a.                                                                                                                      Satisfactory\n                   - Good\n                   - Satisfactory\n                   - Poor\n                   - Failing\n\n                  The IG\'s quality rating included or considered the following aspects of the C&A process: Security plan                                   X\n                  (check all that apply)\n                                                                                                                 System impact level                       X\n                                                                                                                 System test and evaluation                X\n                                                                                                                 Security control testing                  X\n       5.b.\n                                                                                                                 Incident handling                         X\n                                                                                                                 Security awareness training               X\n                                                                                                                 Configurations/patching                   X\n                                                                                                                 Other:\n                  C&A process comments: GSA\'s C&A process is satisfactory, but weak implementaion by system owners result in a program that has not effectively\n                  ensured that risks for all applications, data repositories, and services within system boundaries are identified and mitigated. Most conditions identified in\n                  2007 were also reported in prior years indicating that management actions in response to prior year FISMA audit reports have not been fully effective in\n                  mitigating risk and securing GSA\xe2\x80\x99s systems, due in part, to a continuing lack of accountability. We concluded that effective implementation of GSA\'s IT\n                  Security Program at the system level is dependent upon a more detailed and granular inventory process and increased accountability.\n\n                                                                                     A-4\n\x0c                                                Section C - Inspector General: Questions 6 and 7\nAgency Name: General Services Administration\n                      Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n              Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA)\n     6.a.\n              process, as discussed in Section D II.4 (SAOP reporting template), including adherence\n              to existing policy, guidance, and standards.\n\n              Response Categories:\n               - Response Categories:                                                                                                           Satisfactory\n               - Excellent\n               - Good\n               - Satisfactory\n               - Poor\n               - Failing\n              Comments: GSA has appointed a senior official for privacy, issued a privacy benchmark report, updated policy, taken steps toward\n              improving the protection of PII, and implemented a PIA process. Controls for encryption of PII stored on mobile devices or accessing\n              PII from personally owned computers are not yet implemented.\n\n\n\n\n              Provide a qualitative assessment of the agency\'s progress to date in implementing the\n     6.b.     provisions of M-06-15, "Safeguarding Personally Identifiable Information" since the most\n              recent self-review, including the agency\'s policies and processes, and the administrative,\n              technical, and physical means used to control and protect personally identifiable\n              information (PII).\n\n              Response Categories:                                                                                                     Poor\n               - Response Categories:\n               - Excellent\n               - Good\n               - Satisfactory\n               - Poor\n               - Failing\n              Comments: GSA has not comprehensively assessed the adequacy of implementation for existing privacy controls in GSA PII systems and does not\n              identify roles and responsibilities for verifying the implementation of those controls. Contracts for systems with PII do not yet consistently include privacy\n              related Federal Acquisition Regulation (FAR) clauses, and technical scanning on a sample of PII systems revealed that patches have not been\n              consistently applied, leaving some databases vulnerable to known exploits. Controls have been implemented to support least privilege access, but one\n              system inappropriately allowed users to view sensitive information about government facilities. Controls for encryption of PII stored on mobile devices or\n              accessing PII from personal computers are not yet implemented.\n\n                                                           Question 7: Configuration Management\n\n              Is there an agency-wide security configuration policy? Yes or No.                                                                      Yes\n     7.a.\n              Comments: GSA\'s IT Security Policy requires all agency systems to use GSA technical guidelines, NIST guidelines, or industry best practices for\n              purposes of security configuration and hardening.\n\n\n              Approximate the extent to which applicable information systems apply common security\n     7.b.     configurations established by NIST.\n\n              Response categories:\n               -   Rarely- for example, approximately 0-50% of the time\n                                                                                                                              Mostly (81-95% of the time)\n               -   Sometimes- for example, approximately 51-70% of the time\n               -   Frequently- for example, approximately 71-80% of the time\n               -   Mostly- for example, approximately 81-95% of the time\n               -   Almost Always- for example, approximately 96-100% of the time\n\n\n\n\n                                                                                 A-5\n\x0c                                         Section C - Inspector General: Questions 8, 9, 10 and 11\nAgency Name: General Services Administration\n                                                            Question 8: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law\nenforcement. If appropriate or necessary, include comments in the area provided below.\n\n                 The agency follows documented policies and procedures for identifying and reporting\n      8.a.                                                                                                                         Yes\n                 incidents internally. Yes or No.\n                 The agency follows documented policies and procedures for external reporting to US-\n      8.b.                                                                                                                         Yes\n                 CERT. Yes or No. (http://www.us-cert.gov)\n                 The agency follows documented policies and procedures for reporting to law\n      8.c.                                                                                                                              Yes\n                 enforcement. Yes or No.\n                 Comments: The GSA-CIO has developed a procedural guide that outlines the policies and procedures for incident handling and\n                 reporting across the Agency. Incident handling and reporting were generally consistent with this guide for the five systems we\n                 reviewed.\n\n                                                       Question 9: Security Awareness Training\nHas the agency ensured security awareness training of all employees, including contractors and those\nemployees with significant IT security responsibilities?\n\nResponse Categories:\n - Rarely- or approximately 0-50% of employees                                                                  Almost Always (96-100% of employees)\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n                                                        Question 10: Peer-to-Peer File Sharing\nDoes the agency explain policies regarding peer-to-peer file sharing in IT security awareness training,\n                                                                                                                                   Yes\nethics training, or any other agency wide training? Yes or No.\n                                                  Question 11: E-Authentication Risk Assessments\nThe agency has completed system e-authentication risk assessments. Yes or No.                                                      Yes\n\n\n\n\n                                                                          A-6\n\x0c                      FY 2007 OFFICE OF INSPECTOR GENERAL\n                      FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                        TECHNOLOGY SECURITY PROGRAM\n                        REPORT NUMBER A070108/O/T/F07015\n\n                                             APPENDIX B\n\n   SYSTEMS WHOSE CONTROLS WERE EVALUATED BY THE OFFICE OF\n INSPECTOR GENERAL IN 2007 AND INCLUDED IN RESPONSES TO THE OMB\n              REPORTING TEMPLATE IN APPENDIX A\n\n    System                 Owner                                         Description\n                       Office of the Chief     The Region 8 FTS LAN functions, personnel, hardware, and\n                      Information Officer      software were transferred from the region to the GSA-CIO as part\n                               (I)             of the Agency\xe2\x80\x99s IT infrastructure consolidation initiative in early\n                            Formerly           2007. The Region 8 FTS LAN is a general support system, which\nRegion 8 FTS LAN\n                        Rocky Mountain         supports users at the Denver Federal Center. This system provides\n                            Region 8           connectivity in support of workflow processing, email, and\n                       Denver, Colorado        procurement-related services. The Region 8 FTS LAN is an\n                              (8A)             Agency system categorized as moderate risk.\n                                               The Region 8 PBS LAN functions, personnel, hardware, and\n                       Office of the Chief     software were transferred from the region to the GSA-CIO as part\n                      Information Officer      of the Agency\xe2\x80\x99s IT infrastructure consolidation initiative in early\n                               (I)             2007. The Region 8 PBS LAN supports users across six states,\n                            Formerly           incorporates Voice over Internet Protocol (VoIP), and is\nRegion 8 PBS LAN\n                        Rocky Mountain         administered from regional offices in Denver, Colorado. The LAN\n                            Region 8           is a general support system categorized as moderate risk and\n                       Denver, Colorado        provides connectivity in support of workflow processing, e-mail,\n                              (8A)             and procurement related services. The Region 8 PBS LAN is an\n                                               Agency system categorized as moderate risk.\n                                               GSAjobs is owned and operated by Monster Government Solutions\n                   Office of the Chief Human   and provides services to GSA under terms of a multiple award\n    GSAjobs              Capital Officer       schedule contract task order. This contractor-provided solution is a\n                               (C)             Privacy Act system containing the personally identifiable\n                                               information of job applicants and is categorized as moderate risk.\n                                               FMS is a contractor-supported system used to manage GSA\'s fleet\nFleet Management      Federal Acquisition      of 200,000 motor vehicles and is categorized as moderate risk. The\n      System               Service             system includes a number of web applications used to report\n      (FMS)                   (Q)              mileage, report vehicles for sale, log accidents, and track vehicles\n                                               from the GSA Automotive Center.\n                                               Pegasys is GSA\'s web-based core financial management system,\n                                               supported by contractors and is categorized as moderate risk. The\n                      Office of the Chief      system provides detailed and summary financial information in a\n    Pegasys           Financial Officer        multitude of formats and has more than twenty interfaces with\n                              (B)              other GSA applications/systems. Results from an ongoing audit of\n                                               Pegasys are included in responses to the OMB Reporting Template\n                                               but are not addressed in the body of this report.\n\n\n\n\n                                                   B-1\n\x0c                                   FOR OFFICIAL USE ONLY\n                                           DRAFT REPORT\n\n  FY 2007 OFFICE OF INSPECTOR GENERAL\n  FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n    TECHNOLOGY SECURITY PROGRAM\n    REPORT NUMBER A070108/O/T/F07015\n\n              APPENDIX C\n\nGSA CIO\xe2\x80\x99S RESPONSE TO DRAFT AUDIT REPORT\n\n\n\n\n                    C-1\n\x0c                                                                                                    FOR OFFICIAL USE ONLY\n                                                                                                            DRAFT REPORT\n\n                                FY 2007 OFFICE OF INSPECTOR GENERAL\n                                FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                  TECHNOLOGY SECURITY PROGRAM\n                                  REPORT NUMBER A070108/O/T/F07015\n\n                                                         APPENDIX D\n\n                                               REPORT DISTRIBUTION\n\n                                                                                                                              Copies\n\nChief Information Officer (I) .......................................................................................................3\n\nChief Financial Officer (B)..........................................................................................................2\n\nCommissioner, Federal Acquisition Service (Q) .........................................................................1\n\nChief Human Capital Officer (C) ................................................................................................1\n\nRegional Administrator, Rocky Mountain Region (8A)..............................................................1\n\nAudit Follow-up and Evaluation Branch (BECA).......................................................................1\n\nAssistant Inspector General for Auditing (JA and JAO) .............................................................2\n\nDeputy Assistant Inspector General for Finance and Administrative Audits (JA-F) ..................1\n\nDeputy Assistant Inspector General for Acquisition Audits (JA-A) ...........................................1\n\nDeputy Assistant Inspector General for Information Technology Audits (JA-T) .......................1\n\nAdministration and Data Systems Staff (JAS).............................................................................1\n\nAssistant Inspector General for Investigations (JI)......................................................................1\n\nRegional Inspector General for Auditing, Heartland Region (JA-6)...........................................1\n\nRegional Inspector General for Investigations, Heartland Region (JI-6) ....................................1\n\n\n\n\n                                                                  D-1\n\x0c'